Opened 4 years ago

Last modified 18 months ago

#6372 enhancement new

Support native OS X trusted CA database for SSL certificate validation

Reported by: Itamar Turner-Trauring Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: Branch:


This was originally part of #5446, where Glyph wrote:

On OS X, and again, I haven't done this, I believe you just have to call SSLCopyTrustedRoots to get the default trusted SSL CA certificates and then SecCertificateCopyData on the retrieved roots to turn them into DER (which we can then load into any SSL implementation).

Change History (2)

comment:1 Changed 3 years ago by Alex Gaynor

Here's some code from go which appears to do this: -- based on calling some APIs inside the Security Framework -- based on invoking some CLI program which prints out a bunch of PEM encoded certificates

comment:2 Changed 18 months ago by Glyph

The former (calling APIs inside Security Framework) is the right way to go, as it respects the user's current trust settings. The latter just grabs the bundle that was shipped with the OS, irrespective of whether the user has explicitly de-trusted some of those.

Note: See TracTickets for help on using tickets.